Re: [Freeipa-devel] [PATCH] Changed dns permission types
Jan Zelený wrote: Rob Crittenden wrote: Jan Zelený wrote: Jan Zelený wrote: Rob Crittenden wrote: Jan Zelený wrote: Rob Crittendenwrote: Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 Nack. These values need to be added as valid types to the aci plugin and the _type_map needs to be updated. rob I'm sending an updated patch. Jan Since dnszone and dnsrecord point to the same kind of entry what is the point of having two separate names for them? When we read the entry we aren't going to be able to differentiate between the two. I didn't take a look how the type thing works, so I'm kinda guessing here (please ignore the comment if it is wrong): Sure, object with idnszone class is always also in dnsrecord class, but that's not the case backwards (idnsrecord object isn't always idnszone) - so I think it is possible to set different ACIs for these two types. Can the type be made more specific? If the mapping doesn't distinguish object classes and it can, maybe that's the answer. Will investagate further. But if not, I still think this is the way to go considering the underline issue which we tried to solve by this change. From what I found I think that making changes necessary to distinguish dnsrecord and dnszone are not worth it, especially that user can use "filter" for that purpose. Since having both of them doesn't have any additional value, I'm sending new version of the patch, which is only adding dnsrecord type. Jan Ack but this patch needs a rebase. rob Rebased patch in attachment Jan pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
On 01/07/2011 12:05 PM, Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 Nack. These values need to be added as valid types to the aci plugin and the _type_map needs to be updated. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Jan Zelený wrote: > Rob Crittenden wrote: > > Jan Zelený wrote: > > > Recent change of DNS module to version caused that dns object type > > > was replaced by dnszone and dnsrecord. This patch corrects dns types > > > in permissions class. > > > > > > https://fedorahosted.org/freeipa/ticket/646 > > > > Nack. These values need to be added as valid types to the aci plugin and > > the _type_map needs to be updated. > > > > rob > > I'm sending an updated patch. > > Jan Just a reminder that this patch needs to be reviewed. Thanks Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Jan Zelený wrote: Rob Crittenden wrote: Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 Nack. These values need to be added as valid types to the aci plugin and the _type_map needs to be updated. rob I'm sending an updated patch. Jan Since dnszone and dnsrecord point to the same kind of entry what is the point of having two separate names for them? When we read the entry we aren't going to be able to differentiate between the two. Can the type be made more specific? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Rob Crittenden wrote: > Jan Zelený wrote: > > Rob Crittenden wrote: > >> Jan Zelený wrote: > >>> Recent change of DNS module to version caused that dns object type > >>> was replaced by dnszone and dnsrecord. This patch corrects dns types > >>> in permissions class. > >>> > >>> https://fedorahosted.org/freeipa/ticket/646 > >> > >> Nack. These values need to be added as valid types to the aci plugin and > >> the _type_map needs to be updated. > >> > >> rob > > > > I'm sending an updated patch. > > > > Jan > > Since dnszone and dnsrecord point to the same kind of entry what is the > point of having two separate names for them? When we read the entry we > aren't going to be able to differentiate between the two. I didn't take a look how the type thing works, so I'm kinda guessing here (please ignore the comment if it is wrong): Sure, object with idnszone class is always also in dnsrecord class, but that's not the case backwards (idnsrecord object isn't always idnszone) - so I think it is possible to set different ACIs for these two types. > Can the type be made more specific? If the mapping doesn't distinguish object classes and it can, maybe that's the answer. Will investagate further. But if not, I still think this is the way to go considering the underline issue which we tried to solve by this change. Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Jan Zelený wrote:
> Rob Crittenden wrote:
> > Jan Zelený wrote:
> > > Rob Crittenden wrote:
> > >> Jan Zelený wrote:
> > >>> Recent change of DNS module to version caused that dns object type
> > >>> was replaced by dnszone and dnsrecord. This patch corrects dns types
> > >>> in permissions class.
> > >>>
> > >>> https://fedorahosted.org/freeipa/ticket/646
> > >>
> > >> Nack. These values need to be added as valid types to the aci plugin
> > >> and the _type_map needs to be updated.
> > >>
> > >> rob
> > >
> > > I'm sending an updated patch.
> > >
> > > Jan
> >
> > Since dnszone and dnsrecord point to the same kind of entry what is the
> > point of having two separate names for them? When we read the entry we
> > aren't going to be able to differentiate between the two.
>
> I didn't take a look how the type thing works, so I'm kinda guessing here
> (please ignore the comment if it is wrong):
> Sure, object with idnszone class is always also in dnsrecord class, but
> that's not the case backwards (idnsrecord object isn't always idnszone) -
> so I think it is possible to set different ACIs for these two types.
>
> > Can the type be made more specific?
>
> If the mapping doesn't distinguish object classes and it can, maybe that's
> the answer. Will investagate further. But if not, I still think this is
> the way to go considering the underline issue which we tried to solve by
> this change.
From what I found I think that making changes necessary to distinguish
dnsrecord and dnszone are not worth it, especially that user can use "filter"
for that purpose. Since having both of them doesn't have any additional value,
I'm sending new version of the patch, which is only adding dnsrecord type.
Jan
From 0b7c6ddbc5e40e802357c01fb4d568965b77165e Mon Sep 17 00:00:00 2001
From: Jan Zeleny
Date: Thu, 13 Jan 2011 17:32:57 +0100
Subject: [PATCH] Changed dns permission types
Recent change of DNS module to version caused that dns object type
was replaced by dnszone and dnsrecord. This patch corrects dns types
in permissions class.
https://fedorahosted.org/freeipa/ticket/646
---
ipalib/plugins/aci.py|5 +++--
ipalib/plugins/permission.py |2 +-
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index 939fe535ab01bec9be0caa1952b4a36123bcc2db..d7765488fa1c48d618030564d652a90143bd0123 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -135,7 +135,7 @@ _type_map = {
'hostgroup': 'ldap:///cn=*,%s,%s' % (api.env.container_hostgroup, api.env.basedn),
'service': 'ldap:///krbprincipalname=*,%s,%s' % (api.env.container_service, api.env.basedn),
'netgroup': 'ldap:///ipauniqueid=*,%s,%s' % (api.env.container_netgroup, api.env.basedn),
-'dns': 'ldap:///idnsname=*,%s,%s' % (api.env.container_dns, api.env.basedn),
+'dnsrecord': 'ldap:///idnsname=*,%s,%s' % (api.env.container_dns, api.env.basedn),
}
_valid_permissions_values = [
@@ -382,7 +382,7 @@ class aci(Object):
cli_name='type',
label=_('Type'),
doc=_('type of IPA object (user, group, host, hostgroup, service, netgroup)'),
-values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns',),
+values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord'),
),
Str('memberof?',
cli_name='memberof',
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 43bb2634d34cab8d2bb8ecbce883df8008c34645..182a02cc389c970962e93c4e1653cbbfeee3f30b 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -121,7 +121,7 @@ class permission(LDAPObject):
cli_name='type',
label=_('Type'),
doc=_('Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'),
-values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns',),
+values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord',),
),
Str('memberof?',
cli_name='memberof',
--
1.7.3.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Jan Zelený wrote: > Jan Zelený wrote: > > Rob Crittenden wrote: > > > Jan Zelený wrote: > > > > Rob Crittenden wrote: > > > >> Jan Zelený wrote: > > > >>> Recent change of DNS module to version caused that dns object type > > > >>> was replaced by dnszone and dnsrecord. This patch corrects dns > > > >>> types in permissions class. > > > >>> > > > >>> https://fedorahosted.org/freeipa/ticket/646 > > > >> > > > >> Nack. These values need to be added as valid types to the aci plugin > > > >> and the _type_map needs to be updated. > > > >> > > > >> rob > > > > > > > > I'm sending an updated patch. > > > > > > > > Jan > > > > > > Since dnszone and dnsrecord point to the same kind of entry what is the > > > point of having two separate names for them? When we read the entry we > > > aren't going to be able to differentiate between the two. > > > > I didn't take a look how the type thing works, so I'm kinda guessing here > > (please ignore the comment if it is wrong): > > Sure, object with idnszone class is always also in dnsrecord class, but > > that's not the case backwards (idnsrecord object isn't always idnszone) - > > so I think it is possible to set different ACIs for these two types. > > > > > Can the type be made more specific? > > > > If the mapping doesn't distinguish object classes and it can, maybe > > that's the answer. Will investagate further. But if not, I still think > > this is the way to go considering the underline issue which we tried to > > solve by this change. > > From what I found I think that making changes necessary to distinguish > dnsrecord and dnszone are not worth it, especially that user can use > "filter" for that purpose. Since having both of them doesn't have any > additional value, I'm sending new version of the patch, which is only > adding dnsrecord type. > > Jan Just a small reminder that this patch is ready to be re-reviewed. Thanks Jan ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Jan Zelený wrote: Jan Zelený wrote: Rob Crittenden wrote: Jan Zelený wrote: Rob Crittenden wrote: Jan Zelený wrote: Recent change of DNS module to version caused that dns object type was replaced by dnszone and dnsrecord. This patch corrects dns types in permissions class. https://fedorahosted.org/freeipa/ticket/646 Nack. These values need to be added as valid types to the aci plugin and the _type_map needs to be updated. rob I'm sending an updated patch. Jan Since dnszone and dnsrecord point to the same kind of entry what is the point of having two separate names for them? When we read the entry we aren't going to be able to differentiate between the two. I didn't take a look how the type thing works, so I'm kinda guessing here (please ignore the comment if it is wrong): Sure, object with idnszone class is always also in dnsrecord class, but that's not the case backwards (idnsrecord object isn't always idnszone) - so I think it is possible to set different ACIs for these two types. Can the type be made more specific? If the mapping doesn't distinguish object classes and it can, maybe that's the answer. Will investagate further. But if not, I still think this is the way to go considering the underline issue which we tried to solve by this change. From what I found I think that making changes necessary to distinguish dnsrecord and dnszone are not worth it, especially that user can use "filter" for that purpose. Since having both of them doesn't have any additional value, I'm sending new version of the patch, which is only adding dnsrecord type. Jan Ack but this patch needs a rebase. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changed dns permission types
Rob Crittenden wrote:
> Jan Zelený wrote:
> > Jan Zelený wrote:
> >> Rob Crittenden wrote:
> >>> Jan Zelený wrote:
> Rob Crittenden wrote:
> > Jan Zelený wrote:
> >> Recent change of DNS module to version caused that dns object type
> >> was replaced by dnszone and dnsrecord. This patch corrects dns types
> >> in permissions class.
> >>
> >> https://fedorahosted.org/freeipa/ticket/646
> >
> > Nack. These values need to be added as valid types to the aci plugin
> > and the _type_map needs to be updated.
> >
> > rob
>
> I'm sending an updated patch.
>
> Jan
> >>>
> >>> Since dnszone and dnsrecord point to the same kind of entry what is the
> >>> point of having two separate names for them? When we read the entry we
> >>> aren't going to be able to differentiate between the two.
> >>
> >> I didn't take a look how the type thing works, so I'm kinda guessing
> >> here (please ignore the comment if it is wrong):
> >> Sure, object with idnszone class is always also in dnsrecord class, but
> >> that's not the case backwards (idnsrecord object isn't always idnszone)
> >> - so I think it is possible to set different ACIs for these two types.
> >>
> >>> Can the type be made more specific?
> >>
> >> If the mapping doesn't distinguish object classes and it can, maybe
> >> that's the answer. Will investagate further. But if not, I still think
> >> this is the way to go considering the underline issue which we tried to
> >> solve by this change.
> >>
> > From what I found I think that making changes necessary to distinguish
> >
> > dnsrecord and dnszone are not worth it, especially that user can use
> > "filter" for that purpose. Since having both of them doesn't have any
> > additional value, I'm sending new version of the patch, which is only
> > adding dnsrecord type.
> >
> > Jan
>
> Ack but this patch needs a rebase.
>
> rob
Rebased patch in attachment
Jan
From 0b7c6ddbc5e40e802357c01fb4d568965b77165e Mon Sep 17 00:00:00 2001
From: Jan Zeleny
Date: Thu, 13 Jan 2011 17:32:57 +0100
Subject: [PATCH] Changed dns permission types
Recent change of DNS module to version caused that dns object type
was replaced by dnszone and dnsrecord. This patch corrects dns types
in permissions class.
https://fedorahosted.org/freeipa/ticket/646
---
ipalib/plugins/aci.py|5 +++--
ipalib/plugins/permission.py |2 +-
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index 939fe535ab01bec9be0caa1952b4a36123bcc2db..d7765488fa1c48d618030564d652a90143bd0123 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -135,7 +135,7 @@ _type_map = {
'hostgroup': 'ldap:///cn=*,%s,%s' % (api.env.container_hostgroup, api.env.basedn),
'service': 'ldap:///krbprincipalname=*,%s,%s' % (api.env.container_service, api.env.basedn),
'netgroup': 'ldap:///ipauniqueid=*,%s,%s' % (api.env.container_netgroup, api.env.basedn),
-'dns': 'ldap:///idnsname=*,%s,%s' % (api.env.container_dns, api.env.basedn),
+'dnsrecord': 'ldap:///idnsname=*,%s,%s' % (api.env.container_dns, api.env.basedn),
}
_valid_permissions_values = [
@@ -382,7 +382,7 @@ class aci(Object):
cli_name='type',
label=_('Type'),
doc=_('type of IPA object (user, group, host, hostgroup, service, netgroup)'),
-values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns',),
+values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord'),
),
Str('memberof?',
cli_name='memberof',
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 43bb2634d34cab8d2bb8ecbce883df8008c34645..182a02cc389c970962e93c4e1653cbbfeee3f30b 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -128,7 +128,7 @@ class permission(LDAPObject):
cli_name='type',
label=_('Type'),
doc=_('Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'),
-values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dns',),
+values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord',),
flags=('ask_create', 'ask_update'),
),
Str('memberof?',
--
1.7.3.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
